Hackers Defeat Apple's Touch ID on an iPhone 5S

Hackers from the Chaos Computer Club (CCC) say they have successfully bypassed the biometric security of Apple's recently released Touch ID on an iPhone 5s.

A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with Touch ID, the European association of hackers said on Saturday.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker going by the handle “Starbug”, who performed the experiments leading to the successful circumvention of Apple’s fingerprint lock. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

The hackers used a method to copy and fake fingerprints described in a tutorial the hacker club posted online in 2004.

“First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution,” the CC explained. “The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.”

A video of the hacker tricking Touch ID into authenticating the fake fingerprint is demonstrated in the video below.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said CCC spokesperson Frank Rieger.

Rieger also voiced his concern over the security of fingerprint biometrics, along with privacy fears.

"The public should no longer be fooled by the biometrics industry with false security claims,” he said. “Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access. Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.”

Users could also be forced to unlock their phone against their will when being arrested, the CCC warned, noting that maintaining a strong passcode is a better alternative.

“Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.”

While agreeing that the hack is certainly possible, technology writer Owen Williams said that it’s easier said than done, and an attacker would have to be very motivated to conduct such an attack---and of course have physical access to the device.

“For those of you following at home, taking a 2400DPI image of a fingerprint is not exactly a simple task and will require quite a bit of digital cleanup before it can be used, as per the how-to walk though,” Williams noted in a blog post. “If you read through the process, it’s a long, slow process that your average thief would not likely have the time or motivation to undergo.”

“To be clear, the goal of Touch ID is not to be unhackable,” Williams added. “The goal is to get more consumers to move from no security at all to some security.”

“TouchID, as it currently stands, is simply a convenience tool, not a security tool,” noted Fortinet’s Richard Henderson in a blog post. “It certainly does work, and work well, but you should not rely upon it to protect the digital assets on your phone.”

“Apple needs to push out an iOS update that allows users of Touch ID to further secure their devices by enabling proper two-factor authentication with both a scan AND a passcode,” Henderson added.

“In my opinion, if you have people going to the lengths required to fool the iPhone 5s scanner and get into your device there are bigger problems on your hands,” Williams opined. “If you have sensitive documents on your phone that could endanger the world if they fell into the wrong hands perhaps you should reconsider storing those on a phone.”

Apple has implemented some features to deter attackers trying to get around the fingerprint lock. For example, when setting up an iPhone with Touch ID, users must also create a passcode as a backup, which must be used to unlock the phone if it has not been rebooted or unlocked for 48 hours.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.